Chrome HTTPS Red Crossout Certificate Issue - Solved

dtheimer

I would like to fix this issue with Google Chrome not using an HTTPS connection when connecting to the pfSense WebGUI interface.
(I realize and have been clicking on the "Advance" link, but I would like to correct the issue and use a secure connection)

pfSense Version: 2.3.2

I followed this guidance using pfSense:

In order to secure the Web interface you need to create a CA(certificate authority) by going to system–>cert manager–>CAs(Tab). Once you have a CA created then you can issue certificates to secure the web interface. When you create a CA make sure that in the “method” field you select “Create an Internal Certificate Authority”. You should do 2048 bits or higher for the key length and SHA 512 for the digest. Fill out the rest of the information under the distinguished name.
Once you have the CA created head over to the Certificates tab in the same area and create a certificate.For the method you want to select “Create an internal certificate”. The “certificate authority” field should reflect the name of the CA that you created earlier. The key length should be 2048 or higher and the digest SHA 512. The “certificate type” field should be set to “server certificate”. Fill out the rest of the information in the “Distinguished Name” area.
Head over to System–>Advanced–>Admin Access Tab and change the protocol to HTTPS. Under the “SSL Certificate” select the name of the certificate that we created above. Hit save when you are done and that will secure the web interface. You should then be able to access your pfsense box using “https://YOURGATEWAYIPADDRESS”.

In addition, I exported the certificate from pfSense and imported into Chrome, but that did not resolve the issue.

For clarity I attached two images of the Chrome Red X-ed out HTTPS warning from the URL and page indicating the page is not private.

johnpoz

Well why don't you just use the CA functionally in pfsense, create a CA - issue a cert, use that cert for the web gui https and then trust the CA..

If you setup SAN so you have both common name you use and IPs you might use then you can get a nice shiny green icon be it you connect to your local name or IP.. See attached

Just went over this a while ago in another thread.. Let me see if I can find it.

edit: here you go I went over it in this thread
https://forum.pfsense.org/index.php?topic=114712.0

dtheimer

Thank you!

Mistake: Importing the Certificate (cert) when it should have been the Certificate Authority (CA)

For others trying to solve this same issue here is a video on the topic: https://youtu.be/vZpAIKJ9jyA

Note: After the configuration was setup correctly the issue still existed.  This was resolved by clearing the Chrome history.

johnpoz

Didn't watch that whole video but link points to specific spot in the video talking about SAN.. It only showed IPs not any dns, so its actually good practice to set your common name as a san as well if using them.  It is possible from my understanding that some browsers depending how their makers interpret the rfc that is SAN is used to not use the common name.

So if going to create a SAN, you should do san with your IPs you will be using along with your common name, etc..

For example here is my cert on pfsense.  See it has 2 fqdn dns entries and 2 IPs so I can hit pfsense via one of its other interfaces if I wanted too, that was more of a test example for another thread more than actual need.  And it also has a common name set as just the pfsense.local.lan.

If you do want to hit your pfsense via some other fqdn you will have to adjust pfsense to allow that or you will get a rebinding error, etc.  That would be in System / Advanced / Admin / Alternate Hostnames